The objective of this audit was to determine the extent to which the DoD developed guidance, conducted training, and oversaw the implementation of the DoD Controlled Unclassified Information (CUI) Program. We also reviewed a sample of documents that were identified by the DoD Components and contractors as containing CUI to determine whether the documents had CUI headers and footers, a designation indicator, and portion markings as required by DoD guidance (referred to as the required markings throughout this report). CUI is information created or possessed for the Government that requires safeguarding or dissemination controls according to applicable laws, regulations, and Government-wide policies. We will continue to explore opportunities for additional oversight on the implementation of the DoD CUI Program.
Executive Order 13556, “Controlled Unclassified Information,” established a Government-wide program to standardize the way the Executive Branch handles unclassified information that requires safeguarding or dissemination controls. DoD Instruction 5200.48, “Controlled Unclassified Information,” established the DoD CUI Program requirements for designating, marking, handling, and decontrolling CUI and establishes a requirement for CUI training. Unnecessarily restricting the dissemination of DoD information by marking it CUI when the information does not require CUI marking or using limited dissemination controls (LDCs) inappropriately can limit the transparency of information that should be available for a wider audience. In the Senate Armed Services Committee’s request for this audit, the Committee expressed concern that DoD Components were using LDCs without having a legitimate rationale, thereby limiting transparency.
The National Archives and Records Administration (NARA) and DoD CUI Registries state that the FED ONLY and FEDCON LDCs authorize the sharing of CUI only with employees of the Executive Branch, which by definition excludes Congress. That exclusion contradicts a statement made to us by a NARA official, who stated that LDCs were not intended to prevent Congress from receiving documents with the required markings or impede Congressional oversight.
Although the Office of the Under Secretary of Defense for Intelligence and Security (OUSD[I&S]) established CUI guidance, the DoD Components did not effectively oversee the implementation of that guidance to ensure that CUI documents and e-mails contained the required markings and that DoD and contractor personnel completed the appropriate CUI training. These conditions occurred because the DoD Components did not have mechanisms in place to ensure that CUI documents and e-mails included the required markings, and the OUSD(I&S) did not require the DoD Components to test, as part of the Components’ annual reporting process, a sample of CUI documents to verify whether the documents contained the required markings. In addition, not all of the DoD Components and contracting officials tracked whether their personnel completed the required CUI training. The use of improper or inconsistent CUI markings and the lack of training can increase the risk of the unauthorized disclosure of CUI or unnecessarily restrict the dissemination of information and create obstacles to authorized information sharing. Furthermore, the DoD will not meet the intent of Executive Order 13556 to standardize the way the Executive branch handles CUI.
We made 14 recommendations to address the findings in this report, to include that the USD(I&S) coordinate with DoD Component Heads to develop and implement a DoD-wide solution for automatically populating documents and e-mails with the required markings based on a s et o f s election criteria. In addition, we recommend that the USD(I&S) coordinate with NARA to clarify NARA’s intent regarding sharing CUI information with Congress and updating DoD CUI guidance to reflect NARA’s intent. Furthermore, we recommend that the Defense Pricing and Contracting Principal Director direct DoD contracting officers to verify that contractor-developed CUI training meets the requirements of DoD CUI guidance and that contractors maintain documentation of completed CUI training for audit purposes.
Management Comments and Our Response
Officials from the Army Training and Doctrine Command and the Secretary of the Air Force agreed with the recommendations and described actions planned and taken to resolve the recommendations. The Acting Director for Defense Intelligence, Counterintelligence, Law Enforcement, and Security agreed with the recommendations, and their planned actions were sufficient to resolve six of the eight recommendations.
The other two comments from the Acting Director for Defense Intelligence, Counterintelligence, Law Enforcement, and Security and comments from the Defense Pricing and Contracting Principal Director partially addressed the recommendations. Further, comments from the Missile Defense Agency Executive Director did not address the recommendations and the Chief of Naval Operations did not provide comments to the draft report. Therefore, those recommendations are unresolved. We request that the Acting Director for Defense Intelligence, Counterintelligence, Law Enforcement, and Security; Defense Pricing and Contracting Principal Director; Missile Defense Agency Executive Director; and Chief of Naval Operations provide additional comments within 30 days.
This report is a result of Project No. D2022-D000CR-0177.000).